<!DOCTYPE HTML>

<html lang="en">
<head>

<title>StrictHttpFirewall (spring-security-docs 5.6.3 API)</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel="stylesheet" type="text/css" href="../../../../../stylesheet.css" title="Style">
<link rel="stylesheet" type="text/css" href="../../../../../jquery/jquery-ui.css" title="Style">
<script type="text/javascript" src="../../../../../script.js"></script>
<script type="text/javascript" src="../../../../../jquery/jszip/dist/jszip.min.js"></script>
<script type="text/javascript" src="../../../../../jquery/jszip-utils/dist/jszip-utils.min.js"></script>
<!--[if IE]>
<script type="text/javascript" src="../../../../../jquery/jszip-utils/dist/jszip-utils-ie.min.js"></script>
<![endif]-->
<script type="text/javascript" src="../../../../../jquery/jquery-3.5.1.js"></script>
<script type="text/javascript" src="../../../../../jquery/jquery-ui.js"></script>
</head>
<body>
<script type="text/javascript"><!--
    try {
        if (location.href.indexOf('is-external=true') == -1) {
            parent.document.title="StrictHttpFirewall (spring-security-docs 5.6.3 API)";
        }
    }
    catch(err) {
    }
//-->
var data = {"i0":10,"i1":10,"i2":42,"i3":10,"i4":10,"i5":10,"i6":10,"i7":10,"i8":10,"i9":10,"i10":10,"i11":10,"i12":10,"i13":10,"i14":10,"i15":10,"i16":10,"i17":10,"i18":10,"i19":10};
var tabs = {65535:["t0","All Methods"],2:["t2","Instance Methods"],8:["t4","Concrete Methods"],32:["t6","Deprecated Methods"]};
var altColor = "altColor";
var rowColor = "rowColor";
var tableTab = "tableTab";
var activeTableTab = "activeTableTab";
var pathtoroot = "../../../../../";
var useModuleDirectories = true;
loadScripts(document, 'script');</script>
<noscript>
<div>JavaScript is disabled on your browser.</div>
</noscript>
<header role="banner">
<nav role="navigation">
<div class="fixedNav">

<div class="topNav"><a id="navbar.top">

</a>
<div class="skipNav"><a href="StrictHttpFirewall.html#skip.navbar.top" title="Skip navigation links">Skip navigation links</a></div>
<a id="navbar.top.firstrow">

</a>
<ul class="navList" title="Navigation">
<li><a href="../../../../../index.html">Overview</a></li>
<li><a href="package-summary.html">Package</a></li>
<li class="navBarCell1Rev">Class</li>
<li><a href="package-tree.html">Tree</a></li>
<li><a href="../../../../../deprecated-list.html">Deprecated</a></li>
<li><a href="../../../../../index-all.html">Index</a></li>
<li><a href="../../../../../help-doc.html">Help</a></li>
</ul>
</div>
<div class="subNav">
<ul class="navList" id="allclasses_navbar_top">
<li><a href="../../../../../allclasses.html">All&nbsp;Classes</a></li>
</ul>
<ul class="navListSearch">
<li><label for="search">SEARCH:</label>
<input type="text" id="search" value="search" disabled="disabled">
<input type="reset" id="reset" value="reset" disabled="disabled">
</li>
</ul>
<div>
<script type="text/javascript"><!--
  allClassesLink = document.getElementById("allclasses_navbar_top");
  if(window==top) {
    allClassesLink.style.display = "block";
  }
  else {
    allClassesLink.style.display = "none";
  }
  //-->
</script>
<noscript>
<div>JavaScript is disabled on your browser.</div>
</noscript>
</div>
<div>
<ul class="subNavList">
<li>Summary:&nbsp;</li>
<li>Nested&nbsp;|&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="StrictHttpFirewall.html#constructor.summary">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="StrictHttpFirewall.html#method.summary">Method</a></li>
</ul>
<ul class="subNavList">
<li>Detail:&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="StrictHttpFirewall.html#constructor.detail">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="StrictHttpFirewall.html#method.detail">Method</a></li>
</ul>
</div>
<a id="skip.navbar.top">

</a></div>

</div>
<div class="navPadding">&nbsp;</div>
<script type="text/javascript"><!--
$('.navPadding').css('padding-top', $('.fixedNav').css("height"));
//-->
</script>
</nav>
</header>

<main role="main">
<div class="header">
<div class="subTitle"><span class="packageLabelInType">Package</span>&nbsp;<a href="package-summary.html">org.springframework.security.web.firewall</a></div>
<h2 title="Class StrictHttpFirewall" class="title">Class StrictHttpFirewall</h2>
</div>
<div class="contentContainer">
<ul class="inheritance">
<li>java.lang.Object</li>
<li>
<ul class="inheritance">
<li>org.springframework.security.web.firewall.StrictHttpFirewall</li>
</ul>
</li>
</ul>
<div class="description">
<ul class="blockList">
<li class="blockList">
<dl>
<dt>All Implemented Interfaces:</dt>
<dd><code><a href="HttpFirewall.html" title="interface in org.springframework.security.web.firewall">HttpFirewall</a></code></dd>
</dl>
<hr>
<pre>public class <span class="typeNameLabel">StrictHttpFirewall</span>
extends java.lang.Object
implements <a href="HttpFirewall.html" title="interface in org.springframework.security.web.firewall">HttpFirewall</a></pre>
<div class="block"><p>
A strict implementation of <a href="HttpFirewall.html" title="interface in org.springframework.security.web.firewall"><code>HttpFirewall</code></a> that rejects any suspicious requests
with a <a href="RequestRejectedException.html" title="class in org.springframework.security.web.firewall"><code>RequestRejectedException</code></a>.
</p>
<p>
The following rules are applied to the firewall:
</p>
<ul>
<li>Rejects HTTP methods that are not allowed. This specified to block
<a href="https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)">HTTP Verb
tampering and XST attacks</a>. See <a href="StrictHttpFirewall.html#setAllowedHttpMethods(java.util.Collection)"><code>setAllowedHttpMethods(Collection)</code></a></li>
<li>Rejects URLs that are not normalized to avoid bypassing security constraints. There
is no way to disable this as it is considered extremely risky to disable this
constraint. A few options to allow this behavior is to normalize the request prior to
the firewall or using <a href="DefaultHttpFirewall.html" title="class in org.springframework.security.web.firewall"><code>DefaultHttpFirewall</code></a> instead. Please keep in mind that
normalizing the request is fragile and why requests are rejected rather than
normalized.</li>
<li>Rejects URLs that contain characters that are not printable ASCII characters. There
is no way to disable this as it is considered extremely risky to disable this
constraint.</li>
<li>Rejects URLs that contain semicolons. See <a href="StrictHttpFirewall.html#setAllowSemicolon(boolean)"><code>setAllowSemicolon(boolean)</code></a></li>
<li>Rejects URLs that contain a URL encoded slash. See
<a href="StrictHttpFirewall.html#setAllowUrlEncodedSlash(boolean)"><code>setAllowUrlEncodedSlash(boolean)</code></a></li>
<li>Rejects URLs that contain a backslash. See <a href="StrictHttpFirewall.html#setAllowBackSlash(boolean)"><code>setAllowBackSlash(boolean)</code></a></li>
<li>Rejects URLs that contain a null character. See <a href="StrictHttpFirewall.html#setAllowNull(boolean)"><code>setAllowNull(boolean)</code></a></li>
<li>Rejects URLs that contain a URL encoded percent. See
<a href="StrictHttpFirewall.html#setAllowUrlEncodedPercent(boolean)"><code>setAllowUrlEncodedPercent(boolean)</code></a></li>
<li>Rejects hosts that are not allowed. See <a href="StrictHttpFirewall.html#setAllowedHostnames(java.util.function.Predicate)"><code>setAllowedHostnames(Predicate)</code></a>
</li>
<li>Reject headers names that are not allowed. See
<a href="StrictHttpFirewall.html#setAllowedHeaderNames(java.util.function.Predicate)"><code>setAllowedHeaderNames(Predicate)</code></a></li>
<li>Reject headers values that are not allowed. See
<a href="StrictHttpFirewall.html#setAllowedHeaderValues(java.util.function.Predicate)"><code>setAllowedHeaderValues(Predicate)</code></a></li>
<li>Reject parameter names that are not allowed. See
<a href="StrictHttpFirewall.html#setAllowedParameterNames(java.util.function.Predicate)"><code>setAllowedParameterNames(Predicate)</code></a></li>
<li>Reject parameter values that are not allowed. See
<a href="StrictHttpFirewall.html#setAllowedParameterValues(java.util.function.Predicate)"><code>setAllowedParameterValues(Predicate)</code></a></li>
</ul></div>
<dl>
<dt><span class="simpleTagLabel">Since:</span></dt>
<dd>4.2.4</dd>
<dt><span class="seeLabel">See Also:</span></dt>
<dd><a href="DefaultHttpFirewall.html" title="class in org.springframework.security.web.firewall"><code>DefaultHttpFirewall</code></a></dd>
</dl>
</li>
</ul>
</div>
<div class="summary">
<ul class="blockList">
<li class="blockList">

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="constructor.summary">

</a>
<h3>Constructor Summary</h3>
<table class="memberSummary">
<caption><span>Constructors</span><span class="tabEnd">&nbsp;</span></caption>
<tr>
<th class="colFirst" scope="col">Constructor</th>
<th class="colLast" scope="col">Description</th>
</tr>
<tr class="altColor">
<th class="colConstructorName" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#%3Cinit%3E()">StrictHttpFirewall</a></span>()</code></th>
<td class="colLast">&nbsp;</td>
</tr>
</table>
</li>
</ul>
</section>

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="method.summary">

</a>
<h3>Method Summary</h3>
<table class="memberSummary">
<caption><span id="t0" class="activeTableTab"><span>All Methods</span><span class="tabEnd">&nbsp;</span></span><span id="t2" class="tableTab"><span><a href="javascript:show(2);">Instance Methods</a></span><span class="tabEnd">&nbsp;</span></span><span id="t4" class="tableTab"><span><a href="javascript:show(8);">Concrete Methods</a></span><span class="tabEnd">&nbsp;</span></span><span id="t6" class="tableTab"><span><a href="javascript:show(32);">Deprecated Methods</a></span><span class="tabEnd">&nbsp;</span></span></caption>
<tr>
<th class="colFirst" scope="col">Modifier and Type</th>
<th class="colSecond" scope="col">Method</th>
<th class="colLast" scope="col">Description</th>
</tr>
<tr id="i0" class="altColor">
<td class="colFirst"><code>java.util.Set&lt;java.lang.String&gt;</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#getDecodedUrlBlacklist()">getDecodedUrlBlacklist</a></span>()</code></th>
<td class="colLast">
<div class="block">Provides the existing decoded url blocklist which can add/remove entries from</div>
</td>
</tr>
<tr id="i1" class="rowColor">
<td class="colFirst"><code>java.util.Set&lt;java.lang.String&gt;</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#getDecodedUrlBlocklist()">getDecodedUrlBlocklist</a></span>()</code></th>
<td class="colLast">
<div class="block">Provides the existing decoded url blocklist which can add/remove entries from</div>
</td>
</tr>
<tr id="i2" class="altColor">
<td class="colFirst"><code>java.util.Set&lt;java.lang.String&gt;</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#getEncodedUrlBlacklist()">getEncodedUrlBlacklist</a></span>()</code></th>
<td class="colLast">
<div class="block"><span class="deprecatedLabel">Deprecated.</span>
<div class="deprecationComment">Use <a href="StrictHttpFirewall.html#getEncodedUrlBlocklist()"><code>getEncodedUrlBlocklist()</code></a> instead</div>
</div>
</td>
</tr>
<tr id="i3" class="rowColor">
<td class="colFirst"><code>java.util.Set&lt;java.lang.String&gt;</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#getEncodedUrlBlocklist()">getEncodedUrlBlocklist</a></span>()</code></th>
<td class="colLast">
<div class="block">Provides the existing encoded url blocklist which can add/remove entries from</div>
</td>
</tr>
<tr id="i4" class="altColor">
<td class="colFirst"><code><a href="FirewalledRequest.html" title="class in org.springframework.security.web.firewall">FirewalledRequest</a></code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#getFirewalledRequest(javax.servlet.http.HttpServletRequest)">getFirewalledRequest</a></span>&#8203;(javax.servlet.http.HttpServletRequest&nbsp;request)</code></th>
<td class="colLast">
<div class="block">Provides the request object which will be passed through the filter chain.</div>
</td>
</tr>
<tr id="i5" class="rowColor">
<td class="colFirst"><code>javax.servlet.http.HttpServletResponse</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#getFirewalledResponse(javax.servlet.http.HttpServletResponse)">getFirewalledResponse</a></span>&#8203;(javax.servlet.http.HttpServletResponse&nbsp;response)</code></th>
<td class="colLast">
<div class="block">Provides the response which will be passed through the filter chain.</div>
</td>
</tr>
<tr id="i6" class="altColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#setAllowBackSlash(boolean)">setAllowBackSlash</a></span>&#8203;(boolean&nbsp;allowBackSlash)</code></th>
<td class="colLast">
<div class="block">
Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in
the path or not.</div>
</td>
</tr>
<tr id="i7" class="rowColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#setAllowedHeaderNames(java.util.function.Predicate)">setAllowedHeaderNames</a></span>&#8203;(java.util.function.Predicate&lt;java.lang.String&gt;&nbsp;allowedHeaderNames)</code></th>
<td class="colLast">
<div class="block">
Determines which header names should be allowed.</div>
</td>
</tr>
<tr id="i8" class="altColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#setAllowedHeaderValues(java.util.function.Predicate)">setAllowedHeaderValues</a></span>&#8203;(java.util.function.Predicate&lt;java.lang.String&gt;&nbsp;allowedHeaderValues)</code></th>
<td class="colLast">
<div class="block">
Determines which header values should be allowed.</div>
</td>
</tr>
<tr id="i9" class="rowColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#setAllowedHostnames(java.util.function.Predicate)">setAllowedHostnames</a></span>&#8203;(java.util.function.Predicate&lt;java.lang.String&gt;&nbsp;allowedHostnames)</code></th>
<td class="colLast">
<div class="block">
Determines which hostnames should be allowed.</div>
</td>
</tr>
<tr id="i10" class="altColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#setAllowedHttpMethods(java.util.Collection)">setAllowedHttpMethods</a></span>&#8203;(java.util.Collection&lt;java.lang.String&gt;&nbsp;allowedHttpMethods)</code></th>
<td class="colLast">
<div class="block">
Determines which HTTP methods should be allowed.</div>
</td>
</tr>
<tr id="i11" class="rowColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#setAllowedParameterNames(java.util.function.Predicate)">setAllowedParameterNames</a></span>&#8203;(java.util.function.Predicate&lt;java.lang.String&gt;&nbsp;allowedParameterNames)</code></th>
<td class="colLast">
<div class="block">Determines which parameter names should be allowed.</div>
</td>
</tr>
<tr id="i12" class="altColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#setAllowedParameterValues(java.util.function.Predicate)">setAllowedParameterValues</a></span>&#8203;(java.util.function.Predicate&lt;java.lang.String&gt;&nbsp;allowedParameterValues)</code></th>
<td class="colLast">
<div class="block">
Determines which parameter values should be allowed.</div>
</td>
</tr>
<tr id="i13" class="rowColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#setAllowNull(boolean)">setAllowNull</a></span>&#8203;(boolean&nbsp;allowNull)</code></th>
<td class="colLast">
<div class="block">
Determines if a null "\0" or a URL encoded nul "%00" should be allowed in the path
or not.</div>
</td>
</tr>
<tr id="i14" class="altColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#setAllowSemicolon(boolean)">setAllowSemicolon</a></span>&#8203;(boolean&nbsp;allowSemicolon)</code></th>
<td class="colLast">
<div class="block">
Determines if semicolon is allowed in the URL (i.e.</div>
</td>
</tr>
<tr id="i15" class="rowColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#setAllowUrlEncodedDoubleSlash(boolean)">setAllowUrlEncodedDoubleSlash</a></span>&#8203;(boolean&nbsp;allowUrlEncodedDoubleSlash)</code></th>
<td class="colLast">
<div class="block">
Determines if double slash "//" that is URL encoded "%2F%2F" should be allowed in
the path or not.</div>
</td>
</tr>
<tr id="i16" class="altColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#setAllowUrlEncodedPercent(boolean)">setAllowUrlEncodedPercent</a></span>&#8203;(boolean&nbsp;allowUrlEncodedPercent)</code></th>
<td class="colLast">
<div class="block">
Determines if a percent "%" that is URL encoded "%25" should be allowed in the path
or not.</div>
</td>
</tr>
<tr id="i17" class="rowColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#setAllowUrlEncodedPeriod(boolean)">setAllowUrlEncodedPeriod</a></span>&#8203;(boolean&nbsp;allowUrlEncodedPeriod)</code></th>
<td class="colLast">
<div class="block">
Determines if a period "." that is URL encoded "%2E" should be allowed in the path
or not.</div>
</td>
</tr>
<tr id="i18" class="altColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#setAllowUrlEncodedSlash(boolean)">setAllowUrlEncodedSlash</a></span>&#8203;(boolean&nbsp;allowUrlEncodedSlash)</code></th>
<td class="colLast">
<div class="block">
Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path
or not.</div>
</td>
</tr>
<tr id="i19" class="rowColor">
<td class="colFirst"><code>void</code></td>
<th class="colSecond" scope="row"><code><span class="memberNameLink"><a href="StrictHttpFirewall.html#setUnsafeAllowAnyHttpMethod(boolean)">setUnsafeAllowAnyHttpMethod</a></span>&#8203;(boolean&nbsp;unsafeAllowAnyHttpMethod)</code></th>
<td class="colLast">
<div class="block">Sets if any HTTP method is allowed.</div>
</td>
</tr>
</table>
<ul class="blockList">
<li class="blockList"><a id="methods.inherited.from.class.java.lang.Object">

</a>
<h3>Methods inherited from class&nbsp;java.lang.Object</h3>
<code>clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait</code></li>
</ul>
</li>
</ul>
</section>
</li>
</ul>
</div>
<div class="details">
<ul class="blockList">
<li class="blockList">

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="constructor.detail">

</a>
<h3>Constructor Detail</h3>
<a id="&lt;init&gt;()">

</a>
<ul class="blockListLast">
<li class="blockList">
<h4>StrictHttpFirewall</h4>
<pre>public&nbsp;StrictHttpFirewall()</pre>
</li>
</ul>
</li>
</ul>
</section>

<section role="region">
<ul class="blockList">
<li class="blockList"><a id="method.detail">

</a>
<h3>Method Detail</h3>
<a id="setUnsafeAllowAnyHttpMethod(boolean)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setUnsafeAllowAnyHttpMethod</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setUnsafeAllowAnyHttpMethod&#8203;(boolean&nbsp;unsafeAllowAnyHttpMethod)</pre>
<div class="block">Sets if any HTTP method is allowed. If this set to true, then no validation on the
HTTP method will be performed. This can open the application up to
<a href="https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)"> HTTP
Verb tampering and XST attacks</a></div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>unsafeAllowAnyHttpMethod</code> - if true, disables HTTP method validation, else
resets back to the defaults. Default is false.</dd>
<dt><span class="simpleTagLabel">Since:</span></dt>
<dd>5.1</dd>
<dt><span class="seeLabel">See Also:</span></dt>
<dd><a href="StrictHttpFirewall.html#setAllowedHttpMethods(java.util.Collection)"><code>setAllowedHttpMethods(Collection)</code></a></dd>
</dl>
</li>
</ul>
<a id="setAllowedHttpMethods(java.util.Collection)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setAllowedHttpMethods</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setAllowedHttpMethods&#8203;(java.util.Collection&lt;java.lang.String&gt;&nbsp;allowedHttpMethods)</pre>
<div class="block"><p>
Determines which HTTP methods should be allowed. The default is to allow "DELETE",
"GET", "HEAD", "OPTIONS", "PATCH", "POST", and "PUT".
</p></div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>allowedHttpMethods</code> - the case-sensitive collection of HTTP methods that are
allowed.</dd>
<dt><span class="simpleTagLabel">Since:</span></dt>
<dd>5.1</dd>
<dt><span class="seeLabel">See Also:</span></dt>
<dd><a href="StrictHttpFirewall.html#setUnsafeAllowAnyHttpMethod(boolean)"><code>setUnsafeAllowAnyHttpMethod(boolean)</code></a></dd>
</dl>
</li>
</ul>
<a id="setAllowSemicolon(boolean)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setAllowSemicolon</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setAllowSemicolon&#8203;(boolean&nbsp;allowSemicolon)</pre>
<div class="block"><p>
Determines if semicolon is allowed in the URL (i.e. matrix variables). The default
is to disable this behavior because it is a common way of attempting to perform
<a href="https://www.owasp.org/index.php/Reflected_File_Download">Reflected File
Download Attacks</a>. It is also the source of many exploits which bypass URL based
security.
</p>
<p>
For example, the following CVEs are a subset of the issues related to ambiguities
in the Servlet Specification on how to treat semicolons that led to CVEs:
</p>
<ul>
<li><a href="https://pivotal.io/security/cve-2016-5007">cve-2016-5007</a></li>
<li><a href="https://pivotal.io/security/cve-2016-9879">cve-2016-9879</a></li>
<li><a href="https://pivotal.io/security/cve-2018-1199">cve-2018-1199</a></li>
</ul>
<p>
If you are wanting to allow semicolons, please reconsider as it is a very common
source of security bypasses. A few common reasons users want semicolons and
alternatives are listed below:
</p>
<ul>
<li>Including the JSESSIONID in the path - You should not include session id (or
any sensitive information) in a URL as it can lead to leaking. Instead use Cookies.
</li>
<li>Matrix Variables - Users wanting to leverage Matrix Variables should consider
using HTTP parameters instead.</li>
</ul></div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>allowSemicolon</code> - should semicolons be allowed in the URL. Default is false</dd>
</dl>
</li>
</ul>
<a id="setAllowUrlEncodedSlash(boolean)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setAllowUrlEncodedSlash</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setAllowUrlEncodedSlash&#8203;(boolean&nbsp;allowUrlEncodedSlash)</pre>
<div class="block"><p>
Determines if a slash "/" that is URL encoded "%2F" should be allowed in the path
or not. The default is to not allow this behavior because it is a common way to
bypass URL based security.
</p>
<p>
For example, due to ambiguities in the servlet specification, the value is not
parsed consistently which results in different values in <code>HttpServletRequest</code>
path related values which allow bypassing certain security constraints.
</p></div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>allowUrlEncodedSlash</code> - should a slash "/" that is URL encoded "%2F" be allowed
in the path or not. Default is false.</dd>
</dl>
</li>
</ul>
<a id="setAllowUrlEncodedDoubleSlash(boolean)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setAllowUrlEncodedDoubleSlash</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setAllowUrlEncodedDoubleSlash&#8203;(boolean&nbsp;allowUrlEncodedDoubleSlash)</pre>
<div class="block"><p>
Determines if double slash "//" that is URL encoded "%2F%2F" should be allowed in
the path or not. The default is to not allow.
</p></div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>allowUrlEncodedDoubleSlash</code> - should a slash "//" that is URL encoded "%2F%2F"
be allowed in the path or not. Default is false.</dd>
</dl>
</li>
</ul>
<a id="setAllowUrlEncodedPeriod(boolean)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setAllowUrlEncodedPeriod</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setAllowUrlEncodedPeriod&#8203;(boolean&nbsp;allowUrlEncodedPeriod)</pre>
<div class="block"><p>
Determines if a period "." that is URL encoded "%2E" should be allowed in the path
or not. The default is to not allow this behavior because it is a frequent source
of security exploits.
</p>
<p>
For example, due to ambiguities in the servlet specification a URL encoded period
might lead to bypassing security constraints through a directory traversal attack.
This is because the path is not parsed consistently which results in different
values in <code>HttpServletRequest</code> path related values which allow bypassing
certain security constraints.
</p></div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>allowUrlEncodedPeriod</code> - should a period "." that is URL encoded "%2E" be
allowed in the path or not. Default is false.</dd>
</dl>
</li>
</ul>
<a id="setAllowBackSlash(boolean)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setAllowBackSlash</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setAllowBackSlash&#8203;(boolean&nbsp;allowBackSlash)</pre>
<div class="block"><p>
Determines if a backslash "\" or a URL encoded backslash "%5C" should be allowed in
the path or not. The default is not to allow this behavior because it is a frequent
source of security exploits.
</p>
<p>
For example, due to ambiguities in the servlet specification a URL encoded period
might lead to bypassing security constraints through a directory traversal attack.
This is because the path is not parsed consistently which results in different
values in <code>HttpServletRequest</code> path related values which allow bypassing
certain security constraints.
</p></div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>allowBackSlash</code> - a backslash "\" or a URL encoded backslash "%5C" be allowed
in the path or not. Default is false</dd>
</dl>
</li>
</ul>
<a id="setAllowNull(boolean)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setAllowNull</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setAllowNull&#8203;(boolean&nbsp;allowNull)</pre>
<div class="block"><p>
Determines if a null "\0" or a URL encoded nul "%00" should be allowed in the path
or not. The default is not to allow this behavior because it is a frequent source
of security exploits.
</p></div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>allowNull</code> - a null "\0" or a URL encoded null "%00" be allowed in the path or
not. Default is false</dd>
<dt><span class="simpleTagLabel">Since:</span></dt>
<dd>5.4</dd>
</dl>
</li>
</ul>
<a id="setAllowUrlEncodedPercent(boolean)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setAllowUrlEncodedPercent</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setAllowUrlEncodedPercent&#8203;(boolean&nbsp;allowUrlEncodedPercent)</pre>
<div class="block"><p>
Determines if a percent "%" that is URL encoded "%25" should be allowed in the path
or not. The default is not to allow this behavior because it is a frequent source
of security exploits.
</p>
<p>
For example, this can lead to exploits that involve double URL encoding that lead
to bypassing security constraints.
</p></div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>allowUrlEncodedPercent</code> - if a percent "%" that is URL encoded "%25" should be
allowed in the path or not. Default is false</dd>
</dl>
</li>
</ul>
<a id="setAllowedHeaderNames(java.util.function.Predicate)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setAllowedHeaderNames</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setAllowedHeaderNames&#8203;(java.util.function.Predicate&lt;java.lang.String&gt;&nbsp;allowedHeaderNames)</pre>
<div class="block"><p>
Determines which header names should be allowed. The default is to reject header
names that contain ISO control characters and characters that are not defined.
</p></div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>allowedHeaderNames</code> - the predicate for testing header names</dd>
<dt><span class="simpleTagLabel">Since:</span></dt>
<dd>5.4</dd>
<dt><span class="seeLabel">See Also:</span></dt>
<dd><code>Character.isISOControl(int)</code>,
<code>Character.isDefined(int)</code></dd>
</dl>
</li>
</ul>
<a id="setAllowedHeaderValues(java.util.function.Predicate)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setAllowedHeaderValues</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setAllowedHeaderValues&#8203;(java.util.function.Predicate&lt;java.lang.String&gt;&nbsp;allowedHeaderValues)</pre>
<div class="block"><p>
Determines which header values should be allowed. The default is to reject header
values that contain ISO control characters and characters that are not defined.
</p></div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>allowedHeaderValues</code> - the predicate for testing hostnames</dd>
<dt><span class="simpleTagLabel">Since:</span></dt>
<dd>5.4</dd>
<dt><span class="seeLabel">See Also:</span></dt>
<dd><code>Character.isISOControl(int)</code>,
<code>Character.isDefined(int)</code></dd>
</dl>
</li>
</ul>
<a id="setAllowedParameterNames(java.util.function.Predicate)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setAllowedParameterNames</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setAllowedParameterNames&#8203;(java.util.function.Predicate&lt;java.lang.String&gt;&nbsp;allowedParameterNames)</pre>
<div class="block">Determines which parameter names should be allowed. The default is to reject header
names that contain ISO control characters and characters that are not defined.</div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>allowedParameterNames</code> - the predicate for testing parameter names</dd>
<dt><span class="simpleTagLabel">Since:</span></dt>
<dd>5.4</dd>
<dt><span class="seeLabel">See Also:</span></dt>
<dd><code>Character.isISOControl(int)</code>,
<code>Character.isDefined(int)</code></dd>
</dl>
</li>
</ul>
<a id="setAllowedParameterValues(java.util.function.Predicate)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setAllowedParameterValues</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setAllowedParameterValues&#8203;(java.util.function.Predicate&lt;java.lang.String&gt;&nbsp;allowedParameterValues)</pre>
<div class="block"><p>
Determines which parameter values should be allowed. The default is to allow any
parameter value.
</p></div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>allowedParameterValues</code> - the predicate for testing parameter values</dd>
<dt><span class="simpleTagLabel">Since:</span></dt>
<dd>5.4</dd>
</dl>
</li>
</ul>
<a id="setAllowedHostnames(java.util.function.Predicate)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>setAllowedHostnames</h4>
<pre class="methodSignature">public&nbsp;void&nbsp;setAllowedHostnames&#8203;(java.util.function.Predicate&lt;java.lang.String&gt;&nbsp;allowedHostnames)</pre>
<div class="block"><p>
Determines which hostnames should be allowed. The default is to allow any hostname.
</p></div>
<dl>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>allowedHostnames</code> - the predicate for testing hostnames</dd>
<dt><span class="simpleTagLabel">Since:</span></dt>
<dd>5.2</dd>
</dl>
</li>
</ul>
<a id="getFirewalledRequest(javax.servlet.http.HttpServletRequest)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>getFirewalledRequest</h4>
<pre class="methodSignature">public&nbsp;<a href="FirewalledRequest.html" title="class in org.springframework.security.web.firewall">FirewalledRequest</a>&nbsp;getFirewalledRequest&#8203;(javax.servlet.http.HttpServletRequest&nbsp;request)
                                       throws <a href="RequestRejectedException.html" title="class in org.springframework.security.web.firewall">RequestRejectedException</a></pre>
<div class="block"><span class="descfrmTypeLabel">Description copied from interface:&nbsp;<code><a href="HttpFirewall.html#getFirewalledRequest(javax.servlet.http.HttpServletRequest)">HttpFirewall</a></code></span></div>
<div class="block">Provides the request object which will be passed through the filter chain.</div>
<dl>
<dt><span class="overrideSpecifyLabel">Specified by:</span></dt>
<dd><code><a href="HttpFirewall.html#getFirewalledRequest(javax.servlet.http.HttpServletRequest)">getFirewalledRequest</a></code>&nbsp;in interface&nbsp;<code><a href="HttpFirewall.html" title="interface in org.springframework.security.web.firewall">HttpFirewall</a></code></dd>
<dt><span class="throwsLabel">Throws:</span></dt>
<dd><code><a href="RequestRejectedException.html" title="class in org.springframework.security.web.firewall">RequestRejectedException</a></code> - if the request should be rejected immediately</dd>
</dl>
</li>
</ul>
<a id="getFirewalledResponse(javax.servlet.http.HttpServletResponse)">

</a>
<ul class="blockList">
<li class="blockList">
<h4>getFirewalledResponse</h4>
<pre class="methodSignature">public&nbsp;javax.servlet.http.HttpServletResponse&nbsp;getFirewalledResponse&#8203;(javax.servlet.http.HttpServletResponse&nbsp;response)</pre>
<div class="block"><span class="descfrmTypeLabel">Description copied from interface:&nbsp;<code><a href="HttpFirewall.html#getFirewalledResponse(javax.servlet.http.HttpServletResponse)">HttpFirewall</a></code></span></div>
<div class="block">Provides the response which will be passed through the filter chain.</div>
<dl>
<dt><span class="overrideSpecifyLabel">Specified by:</span></dt>
<dd><code><a href="HttpFirewall.html#getFirewalledResponse(javax.servlet.http.HttpServletResponse)">getFirewalledResponse</a></code>&nbsp;in interface&nbsp;<code><a href="HttpFirewall.html" title="interface in org.springframework.security.web.firewall">HttpFirewall</a></code></dd>
<dt><span class="paramLabel">Parameters:</span></dt>
<dd><code>response</code> - the original response</dd>
<dt><span class="returnLabel">Returns:</span></dt>
<dd>either the original response or a replacement/wrapper.</dd>
</dl>
</li>
</ul>
<a id="getEncodedUrlBlocklist()">

</a>
<ul class="blockList">
<li class="blockList">
<h4>getEncodedUrlBlocklist</h4>
<pre class="methodSignature">public&nbsp;java.util.Set&lt;java.lang.String&gt;&nbsp;getEncodedUrlBlocklist()</pre>
<div class="block">Provides the existing encoded url blocklist which can add/remove entries from</div>
<dl>
<dt><span class="returnLabel">Returns:</span></dt>
<dd>the existing encoded url blocklist, never null</dd>
</dl>
</li>
</ul>
<a id="getDecodedUrlBlocklist()">

</a>
<ul class="blockList">
<li class="blockList">
<h4>getDecodedUrlBlocklist</h4>
<pre class="methodSignature">public&nbsp;java.util.Set&lt;java.lang.String&gt;&nbsp;getDecodedUrlBlocklist()</pre>
<div class="block">Provides the existing decoded url blocklist which can add/remove entries from</div>
<dl>
<dt><span class="returnLabel">Returns:</span></dt>
<dd>the existing decoded url blocklist, never null</dd>
</dl>
</li>
</ul>
<a id="getEncodedUrlBlacklist()">

</a>
<ul class="blockList">
<li class="blockList">
<h4>getEncodedUrlBlacklist</h4>
<pre class="methodSignature">@Deprecated
public&nbsp;java.util.Set&lt;java.lang.String&gt;&nbsp;getEncodedUrlBlacklist()</pre>
<div class="deprecationBlock"><span class="deprecatedLabel">Deprecated.</span>
<div class="deprecationComment">Use <a href="StrictHttpFirewall.html#getEncodedUrlBlocklist()"><code>getEncodedUrlBlocklist()</code></a> instead</div>
</div>
<div class="block">Provides the existing encoded url blocklist which can add/remove entries from</div>
<dl>
<dt><span class="returnLabel">Returns:</span></dt>
<dd>the existing encoded url blocklist, never null</dd>
</dl>
</li>
</ul>
<a id="getDecodedUrlBlacklist()">

</a>
<ul class="blockListLast">
<li class="blockList">
<h4>getDecodedUrlBlacklist</h4>
<pre class="methodSignature">public&nbsp;java.util.Set&lt;java.lang.String&gt;&nbsp;getDecodedUrlBlacklist()</pre>
<div class="block">Provides the existing decoded url blocklist which can add/remove entries from</div>
<dl>
<dt><span class="returnLabel">Returns:</span></dt>
<dd>the existing decoded url blocklist, never null</dd>
</dl>
</li>
</ul>
</li>
</ul>
</section>
</li>
</ul>
</div>
</div>
</main>

<footer role="contentinfo">
<nav role="navigation">

<div class="bottomNav"><a id="navbar.bottom">

</a>
<div class="skipNav"><a href="StrictHttpFirewall.html#skip.navbar.bottom" title="Skip navigation links">Skip navigation links</a></div>
<a id="navbar.bottom.firstrow">

</a>
<ul class="navList" title="Navigation">
<li><a href="../../../../../index.html">Overview</a></li>
<li><a href="package-summary.html">Package</a></li>
<li class="navBarCell1Rev">Class</li>
<li><a href="package-tree.html">Tree</a></li>
<li><a href="../../../../../deprecated-list.html">Deprecated</a></li>
<li><a href="../../../../../index-all.html">Index</a></li>
<li><a href="../../../../../help-doc.html">Help</a></li>
</ul>
</div>
<div class="subNav">
<ul class="navList" id="allclasses_navbar_bottom">
<li><a href="../../../../../allclasses.html">All&nbsp;Classes</a></li>
</ul>
<div>
<script type="text/javascript"><!--
  allClassesLink = document.getElementById("allclasses_navbar_bottom");
  if(window==top) {
    allClassesLink.style.display = "block";
  }
  else {
    allClassesLink.style.display = "none";
  }
  //-->
</script>
<noscript>
<div>JavaScript is disabled on your browser.</div>
</noscript>
</div>
<div>
<ul class="subNavList">
<li>Summary:&nbsp;</li>
<li>Nested&nbsp;|&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="StrictHttpFirewall.html#constructor.summary">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="StrictHttpFirewall.html#method.summary">Method</a></li>
</ul>
<ul class="subNavList">
<li>Detail:&nbsp;</li>
<li>Field&nbsp;|&nbsp;</li>
<li><a href="StrictHttpFirewall.html#constructor.detail">Constr</a>&nbsp;|&nbsp;</li>
<li><a href="StrictHttpFirewall.html#method.detail">Method</a></li>
</ul>
</div>
<a id="skip.navbar.bottom">

</a></div>

</nav>
</footer>
<script>if (window.parent == window) {(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)})(window,document,'script','//www.google-analytics.com/analytics.js','ga');ga('create', 'UA-2728886-23', 'auto', {'siteSpeedSampleRate': 100});ga('send', 'pageview');}</script><script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"7040f1834fbe97cf","token":"bffcb8a918ae4755926f76178bfbd26b","version":"2021.12.0","si":100}' crossorigin="anonymous"></script>
</body>
</html>
